From 13cc0c5f5ae998963a641b1bbfcfd28bd76dd7a4 Mon Sep 17 00:00:00 2001 From: Jim Enright Date: Mon, 25 Sep 2023 12:31:46 +0100 Subject: [PATCH] Address tfsec issues in vpc sub-module Signed-off-by: Jim Enright --- .../.tfsec/config.yml | 1 + modules/terraform-cdp-aws-pre-reqs/README.md | 14 +++- modules/terraform-cdp-aws-pre-reqs/main.tf | 7 ++ .../modules/vpc/main.tf | 10 +++ .../modules/vpc/variables.tf | 30 +++++++- .../terraform-cdp-aws-pre-reqs/variables.tf | 71 +++++++++++++++++++ 6 files changed, 131 insertions(+), 2 deletions(-) diff --git a/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml b/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml index 736bc48..3be7a21 100644 --- a/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml +++ b/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml @@ -14,4 +14,5 @@ exclude: #region3 TODO: Explore how to expose these parameters - aws-s3-enable-versioning - aws-s3-enable-bucket-logging + - aws-ec2-require-vpc-flow-logs-for-all-vpcs #endregion3 \ No newline at end of file diff --git a/modules/terraform-cdp-aws-pre-reqs/README.md b/modules/terraform-cdp-aws-pre-reqs/README.md index fec5333..a666465 100644 --- a/modules/terraform-cdp-aws-pre-reqs/README.md +++ b/modules/terraform-cdp-aws-pre-reqs/README.md @@ -75,7 +75,11 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [aws_iam_role_policy_attachment.cdp_ranger_audit_role_attach3](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_ranger_audit_role_attach4](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cdp_xaccount_role_attach](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_alias.cdp_kms_alias](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/kms_alias) | resource | +| [aws_kms_key.cdp_kms_key](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/kms_key) | resource | | [aws_s3_bucket.cdp_storage_locations](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_public_access_block.cdp_storage_locations](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.cdp_storage_location_kms](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_object.cdp_backup_storage_object](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_object) | resource | | [aws_s3_object.cdp_log_storage_object](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/s3_object) | resource | | [aws_security_group.cdp_default_sg](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/resources/security_group) | resource | @@ -143,6 +147,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [datalake\_backup\_policy\_name](#input\_datalake\_backup\_policy\_name) | Datalake backup Data Access Policy Name | `string` | `null` | no | | [datalake\_restore\_policy\_doc](#input\_datalake\_restore\_policy\_doc) | Location of Datalake Restore Data Access Policy | `string` | `null` | no | | [datalake\_restore\_policy\_name](#input\_datalake\_restore\_policy\_name) | Datalake restore Data Access Policy Name | `string` | `null` | no | +| [enable\_kms\_bucket\_encryption](#input\_enable\_kms\_bucket\_encryption) | Flag to create AWS KMS for encryption of S3 buckets. Currently disabled as further settings needed for successful CDP deployment. | `bool` | `false` | no | | [env\_tags](#input\_env\_tags) | Tags applied to provised resources | `map(any)` | `null` | no | | [idbroker\_policy\_name](#input\_idbroker\_policy\_name) | IDBroker Policy name | `string` | `null` | no | | [idbroker\_role\_name](#input\_idbroker\_role\_name) | IDBroker service role Name | `string` | `null` | no | @@ -152,7 +157,9 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [log\_data\_access\_policy\_name](#input\_log\_data\_access\_policy\_name) | Log Data Access Policy Name | `string` | `null` | no | | [log\_role\_name](#input\_log\_role\_name) | Log service role Name | `string` | `null` | no | | [log\_storage](#input\_log\_storage) | Optional log locations for CDP environment. If not provided follow the data\_storage variable | 
object({
    log_storage_bucket = string
    log_storage_object = string
  })
| `null` | no | +| [private\_cidr\_range](#input\_private\_cidr\_range) | Size of each private subnet. Required if create\_vpc is true. Number of subnets will be automatically selected to match on the number of Availability Zones in the selected AWS region. (Depending on the selected deployment pattern, one subnet will be created per region.) | `number` | `19` | no | | [private\_network\_extensions](#input\_private\_network\_extensions) | Enable creation of resources for connectivity to CDP Control Plane (public subnet and NAT Gateway) for Private Deployment. Only relevant for private deployment template | `bool` | `true` | no | +| [public\_cidr\_range](#input\_public\_cidr\_range) | Size of each public subnet. Required if create\_vpc is true. Number of subnets will be automatically selected to match on the number of Availability Zones in the selected AWS region. (Depending on the selected deployment pattern, one subnet will be created per region.) | `number` | `24` | no | | [random\_id\_for\_bucket](#input\_random\_id\_for\_bucket) | Create a random suffix for the bucket names | `bool` | `true` | no | | [ranger\_audit\_role\_name](#input\_ranger\_audit\_role\_name) | Ranger Audit role Name | `string` | `null` | no | | [ranger\_audit\_s3\_policy\_doc](#input\_ranger\_audit\_s3\_policy\_doc) | Location or Contents of Ranger S3 Audit Data Access Policy | `string` | `null` | no | @@ -160,9 +167,14 @@ In each directory an example `terraform.tfvars.sample` values file is included t | [security\_group\_default\_name](#input\_security\_group\_default\_name) | Default Security Group for CDP environment | `string` | `null` | no | | [security\_group\_endpoint\_name](#input\_security\_group\_endpoint\_name) | Security Group for VPC Endpoints | `string` | `null` | no | | [security\_group\_knox\_name](#input\_security\_group\_knox\_name) | Knox Security Group for CDP environment | `string` | `null` | no | -| [vpc\_cidr](#input\_vpc\_cidr) | VPC CIDR Block | `string` | `"10.10.0.0/16"` | no | +| [vpc\_cidr](#input\_vpc\_cidr) | VPC CIDR Block. Required if create\_vpc is true. | `string` | `"10.10.0.0/16"` | no | | [vpc\_endpoint\_gateway\_services](#input\_vpc\_endpoint\_gateway\_services) | List of AWS services used for VPC Gateway Endpoints | `list(string)` | 
[
  "s3"
]
| no | | [vpc\_endpoint\_interface\_services](#input\_vpc\_endpoint\_interface\_services) | List of AWS services used for VPC Interface Endpoints | `list(string)` | 
[
  "sts",
  "rds",
  "elasticloadbalancing",
  "elasticfilesystem",
  "eks",
  "ecr.dkr",
  "ecr.api",
  "ec2",
  "cloudformation",
  "autoscaling"
]
| no | +| [vpc\_private\_inbound\_acl\_rules](#input\_vpc\_private\_inbound\_acl\_rules) | Private subnets inbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [vpc\_private\_outbound\_acl\_rules](#input\_vpc\_private\_outbound\_acl\_rules) | Private subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [vpc\_public\_inbound\_acl\_rules](#input\_vpc\_public\_inbound\_acl\_rules) | Inbound network ACLs for Public subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [vpc\_public\_outbound\_acl\_rules](#input\_vpc\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [vpc\_public\_subnets\_map\_public\_ip\_on\_launch](#input\_vpc\_public\_subnets\_map\_public\_ip\_on\_launch) | Auto-assign public IP on launch for instances created in Public Subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `bool` | `true` | no | | [xaccount\_account\_policy\_doc](#input\_xaccount\_account\_policy\_doc) | Location of cross acount policy document | `string` | `null` | no | | [xaccount\_policy\_name](#input\_xaccount\_policy\_name) | Cross Account Policy name | `string` | `null` | no | | [xaccount\_role\_name](#input\_xaccount\_role\_name) | Cross account Assume role Name | `string` | `null` | no | diff --git a/modules/terraform-cdp-aws-pre-reqs/main.tf b/modules/terraform-cdp-aws-pre-reqs/main.tf index d0d7f4b..966c381 100644 --- a/modules/terraform-cdp-aws-pre-reqs/main.tf +++ b/modules/terraform-cdp-aws-pre-reqs/main.tf @@ -28,6 +28,13 @@ module "aws_cdp_vpc" { private_cidr_range = var.private_cidr_range public_cidr_range = var.public_cidr_range + + vpc_public_subnets_map_public_ip_on_launch = var.vpc_public_subnets_map_public_ip_on_launch + + vpc_public_inbound_acl_rules = var.vpc_public_inbound_acl_rules + vpc_public_outbound_acl_rules = var.vpc_public_outbound_acl_rules + vpc_private_inbound_acl_rules = var.vpc_private_inbound_acl_rules + vpc_private_outbound_acl_rules = var.vpc_private_outbound_acl_rules } # ------- Security Groups ------- diff --git a/modules/terraform-cdp-aws-pre-reqs/modules/vpc/main.tf b/modules/terraform-cdp-aws-pre-reqs/modules/vpc/main.tf index 2711c4a..f2fa1c2 100644 --- a/modules/terraform-cdp-aws-pre-reqs/modules/vpc/main.tf +++ b/modules/terraform-cdp-aws-pre-reqs/modules/vpc/main.tf @@ -12,6 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +#tfsec:ignore:aws-ec2-no-excessive-port-access +#tfsec:ignore:aws-ec2-no-public-ingress-acl +#tfsec:ignore:aws-ec2-no-public-ip-subnet module "cdp_vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.19.0" @@ -46,5 +49,12 @@ module "cdp_vpc" { enable_dns_support = true enable_dns_hostnames = true + map_public_ip_on_launch = var.vpc_public_subnets_map_public_ip_on_launch + + public_inbound_acl_rules = var.vpc_public_inbound_acl_rules + public_outbound_acl_rules = var.vpc_public_outbound_acl_rules + private_inbound_acl_rules = var.vpc_private_inbound_acl_rules + private_outbound_acl_rules = var.vpc_private_outbound_acl_rules + tags = var.tags } diff --git a/modules/terraform-cdp-aws-pre-reqs/modules/vpc/variables.tf b/modules/terraform-cdp-aws-pre-reqs/modules/vpc/variables.tf index 2c2e09c..c951e13 100644 --- a/modules/terraform-cdp-aws-pre-reqs/modules/vpc/variables.tf +++ b/modules/terraform-cdp-aws-pre-reqs/modules/vpc/variables.tf @@ -57,4 +57,32 @@ variable "private_network_extensions" { } - \ No newline at end of file +variable "vpc_public_subnets_map_public_ip_on_launch" { + description = "Auto-assign public IP on launch for instances created in Public Subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create_vpc is true." + type = bool + +} + +variable "vpc_public_inbound_acl_rules" { + description = "Inbound network ACLs for Public subnets. Exposes default value of VPC module variable to allow for overriding." + type = list(map(string)) + +} + +variable "vpc_public_outbound_acl_rules" { + description = "Public subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding." + type = list(map(string)) + +} + +variable "vpc_private_inbound_acl_rules" { + description = "Private subnets inbound network ACLs. Exposes default value of VPC module variable to allow for overriding." + type = list(map(string)) + +} + +variable "vpc_private_outbound_acl_rules" { + description = "Private subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding." + type = list(map(string)) + +} \ No newline at end of file diff --git a/modules/terraform-cdp-aws-pre-reqs/variables.tf b/modules/terraform-cdp-aws-pre-reqs/variables.tf index 9a7c222..b19f408 100644 --- a/modules/terraform-cdp-aws-pre-reqs/variables.tf +++ b/modules/terraform-cdp-aws-pre-reqs/variables.tf @@ -117,6 +117,77 @@ variable "private_network_extensions" { default = true } +variable "vpc_public_subnets_map_public_ip_on_launch" { + description = "Auto-assign public IP on launch for instances created in Public Subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create_vpc is true." + type = bool + + default = true +} + +variable "vpc_public_inbound_acl_rules" { + description = "Inbound network ACLs for Public subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create_vpc is true." + type = list(map(string)) + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "vpc_public_outbound_acl_rules" { + description = "Public subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create_vpc is true." + type = list(map(string)) + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "vpc_private_inbound_acl_rules" { + description = "Private subnets inbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create_vpc is true." + type = list(map(string)) + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "vpc_private_outbound_acl_rules" { + description = "Private subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create_vpc is true." + type = list(map(string)) + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + variable "cdp_vpc_id" { type = string description = "VPC ID for CDP environment. Required if create_vpc is false."